AFFIDAVIT OF MICHAEL W. TUNICK IN SUPPORT OF 
AN APPLICATION FOR A COMPLAINT 

I, Michael W. Tunick, state: 

INTRODUCTION AND AGENT BACKGROUND 

1. I am a Special Agent with the Federal Bureau of Investigation, and have been so 
employed since 2012. I am currently assigned to the Cyber Crimes Squad of the Boston Field 
Office of the FBI. As a member of this squad, my responsibilities include investigating criminal 
offenses including computer intrusions, wire fraud, and conspiracy. Through my training and 
experience, obtained both prior to and while being employed with the FBI, I am knowledgeable 
about computer systems, computer networks, networking hardware and software, network 
security, telecommunication systems, and the means by which individuals use computers, 
software applications and information networks to commit cyber offenses. During my tenure as 
a Special Agent, I have participated in the execution of numerous search warrants involving 
computer equipment, documents, and electronically stored information. Before joining the FBI, 
I worked in the area of information technology, and computer and network security. 

2. Since April 2014,1 have been investigating attacks against the computer networks 
of a large Massachusetts Hospital (the “Massachusetts Hospital” or “Hospital”) and a 
Massachusetts residential treatment center (the “Massachusetts Treatment Center”). 

3. I submit this affidavit in support of an application for a complaint charging Martin 
Gottesfeld with conspiracy (18 U.S.C. § 371) to intentionally cause damage to protected 
computers (18 U.S.C. §§ 1030(a)(5)(A) and 1030(c)(4)(B)). 

4. The facts in this affidavit come from my personal observations and review of 
records, my training and experience, and information obtained from other agents and witnesses. 


“PATIENT A” AND THE NETWORK ATTACKS 


5. In early 2014, the press began to report about the case of a teenage girl (“Patient 
A”) who was receiving medical treatment in Massachusetts. As was reported at the time in the 
press, a Massachusetts state court judge had placed Patient A in the custody of the Massachusetts 
Department of Children and Families because of concerns that her parents were interfering with 
her treatment. 

6. The issue of Patient A’s custody and medical care became a national media story, 
with religious and political organizations and others asserting that the case was an example of 
government interference with parental rights. 

7. News stories reported that Patient A had been treated at the Massachusetts 
Hospital, whose doctors continued to oversee her care even after she was transferred, in January 
2014, to the Massachusetts Treatment Center. 

8. On March 25, 2014, the computer network at the Massachusetts Treatment Center 
was hit with a Distributed Denial of Service (“DDOS”) attack. DDOS attacks direct an 
enormous amount of network traffic at the target computer server, with the intent to overwhelm 
that server and disrupt online services. Successful DDOS attacks can take a website or network 
offline for the duration of the attack, which can range from an hour to days or even weeks. 

9. The attack against the Massachusetts Treatment Center lasted for more than a 
week, crippled the Treatment Center’s website during that time, and caused it to spend more than 
$18,000 on response and mitigation efforts. 

10. On March 23, 2014, a video was posted on YouTube calling, in the name of the 
hacking organization Anonymous, for action against the Massachusetts Hospital in response to 
its treatment of Patient A. The video, which was narrated by a computer-generated voice, stated 


that Anonymous “will punish all those held accountable and will not relent until [Patient A] is 
free.” 

11. The YouTube video also stated: “To [The Massachusetts Hospital] - why do you 
employ people that clearly do not put patients first? We demand that you terminate [physician] 
from her employment or you too shall feel the full unbridled wrath of Anonymous. Test us and 
you shall fail.” The physician named in the video had been identified in press reports as being 
involved in the Patient A matter. 

12. The YouTube video directed viewers to a posting on the website pastebin.com 
that contained the information about the Massachusetts Hospital’s server necessary to initiate a 
DDOS attack against that server. 

13. On April 19, 2014, the Massachusetts Hospital reported a DDOS attack against 
the server identified in the pastebin.com posting. The DDOS attack, which directed hostile 
traffic at the Hospital’s network for at least seven days, disrupted that network and took the 
Hospital’s website out of service. The attack also disrupted the Hospital’s day-to-day operations 
as well as the research being done at the Hospital. The Hospital had to re-allocate its resources 
in a significant way to ensure that patient care was not affected during this period 

14. In addition to the DDOS attack, hackers attempted to intrude into the Hospital’s 
network, using malicious e-mail and other means. These attempts were not successful. 

15. In an effort to ensure the attack did not compromise patient information, the 
Hospital decided to shut down the portions of its network that communicated with the internet 
and its e-mail servers. This effort successfully prevented the attackers from accessing any 
patient records or other internal Hospital information. 


16. This shutdown of the Hospital’s website, external internet portal, and e-mail 
servers, however, impacted the entire Hospital community and particularly the ability of 
physicians outside of the Hospital to obtain medical records and of patients to communicate with 
physicians. It also disrupted an important fundraising period for the Hospital by disabling the 
Hospital’s fundraising portal. 

17. Responding to, and mitigating, the damage from this DDOS attack cost the 
Massachusetts Hospital more than $300,000. 

THE CONNECTION TO GOTTESFELD 

18. I have reviewed Massachusetts Hospital’s Webserver logs from the time of the 
DDOS attack. These logs showed hundreds of IP addresses flooding the network with malicious 
traffic. The IP addresses sending this malicious traffic resolve to geographically dispersed 
locations. I know that this is consistent with a sophisticated DDOS attack where the perpetrators 
are masking their physical location. 

19. Records for the account that posted the Youtube video calling for the attack on the 
Hospital show this account is owned and managed by Martin S. Gottesfeld. Those records also 
show the IP address that was used to post the video on March 23, 2014 and log in to the account 
on April 1, 2014. 

20. Records for RCN, the cable company that controls that IP address, list Martin S. 
Gottesfeld as the customer assigned to that IP address from at least March 23 to April 1, 2014. 
RCN records show that Gottesfeld receives his internet service at an address in Somerville, 
Massachusetts, which is also listed as his residence in Registry of Motor Vehicle records. 

21. Based on this and other information, I obtained a search warrant for Gottesfeld’s 


apartment on September 29, 2014. 


22. When the FBI executed this search warrant, on October 1, 2014, Gottesfeld 
agreed to be interviewed. During that interview, Gottesfeld admitted to operating the YouTube 
account that posted the video calling for the attack on the Massachusetts Hospital and to being 
the one who posted the video. But he denied participating in any DDOS attacks. 

23. During the course of my investigation, I identified a friend of Gottesfeld’s, whom 
I will refer to as Witness 1. I interviewed Witness 1, who told me that he had worked with 
Gottesfeld on social media projects related to treatment centers that treat children and teenagers 
like Patient A, although Witness 1 told me that he had no role in the campaign involving Patient 
A. 

24. Witness 1 said that, approximately a week after having read a newspaper article 
about the DDOS attack against the Massachusetts Hospital, Gottesfeld told him that he 
(Gottesfeld) had taken down the Hospital’s website. 1 

25. Pursuant to the search warrant, I reviewed the computers that Gottesfeld 
acknowledged were his when I interviewed him at the time of the search. Portions of these 
computers are encrypted, and I have not yet been able to review them. Other portions are not. 

26. I found, in an unencrypted portion of one of Gottesfeld’s computers, a series of 
Twitter direct messages, from March 23, 2014. The messages are between Gottesfeld, using the 
account “stoploganriver” (which Gottesfeld admitted in the interview was his) and someone 
using the account “DigitaGhost.” One of the message exchanges was: 

• Mar 23, 2014 12:49 AM EST @Digitaghost: I was also thinking of attacking one target 

to show them we are not fucking around. . . . 

1 The first time Witness 1 described this conversation with Gottesfeld, he said that it took 
place during a car ride with Gottesfeld. The second time Witness 1 described it, he said that 
Gottesfeld discussed the Hospital DDOS attack twice - once during a car ride and once standing 
outside Gottesfeld’s house. 



• Mar 23, 2014 12:51 AM EST @Digitaghost: It would require some thought on who 
#Target first anyway. Vuln scans blah blah blah. 

• Mar 23, 2014 12:51 AM EST @Stoploganriver: k, let me run it by the family reps first. I 
suggest [the Massachusetts Treatment Center]. 

27. In a later message, DigitaGhost confirmed the Treatment Center’s location with 
Gottesfeld: 

• Mar 23, 2014 12:58 AM EST @Digitaghost: This fucking site looks like one of your 
brainwashing schools. 

• Mar 23, 2014 12:59 AM EST @Stoploganriver: It is basically one of those schools, from 
what we can tell. That's how I was able to bring in #ShutLoganRiver 

• Mar 23, 2014 12:59 AM EST @Stoploganriver: that put this in our official purview. . . . 

• Mar 23, 2014 1:00 AM EST @Digitaghost: “[city], MA right?” 

28. In another exchange that day, Digitaghost told Gottesfeld that he would be able to 
successfully attack the Treatment Center’s servers: 

• Mar 23, 2014 1:02 AM EST @Digitaghost: Apache servers left unlatched. 
Lolololololololol. Fucking #OpSony all over again. 

• Mar 23, 2014 1:03 AM EST @Digitaghost: Unpatched* 

• Mar 23, 2014 1:04 AM EST @Digitaghost: We can tear that shit up. 

29. Two days later, on March 25, 2014, the press reported that the state court judge 
had granted permanent custody over Patient A to the Massachusetts Department of Children and 
Families. 

30. That day, a Twitter account “@AnonMercurial2” issued a series of public Twitter 
messages, which included the hashtag #Anonymous, calling for attacks on the Treatment 
Center’s website. 

31. Twitter records show that the “@AnonMercurial2” account was created by 
someone using e-mail account digitaldruid@riseup.net. My review of Gottesfeld’s computers 


identified internet history logs showing that Gottesfeld created the digitaldruid@riseup.net e- 
mail address. 

GOTTESFELD’S FLIGHT 

32. Gottesfeld has been aware of this investigation since the FBI searched his house 
in October 2014. 

33. Last week, I learned that the Somerville Police Department had conducted a 
wellness check at Gottesfeld’s apartment after receiving calls from his employer and from 
relatives concerned about his whereabouts. According to those calls, he had not been to work, 
nor had he or his wife had any contact with family members in several weeks, all without 
explanation. The Somerville Police found nobody home at his house. 

34. I also went by his house last Friday but it appeared that there was nobody home 
and no car was in the driveway. 

35. Today, I received a call from an FBI agent in the Bahamas, telling me that 
Gottesfeld and his wife were on a Disney Cruise Lines ship in the Bahamas. The agent told me 
that Gottesfeld and his wife were not passengers on the ship but rather had been picked up in a 
sailboat, not far from Cuba. The sailboat had run into trouble and Gottesfeld and his wife had 
placed a distress call, to which the cruise ship responded. They had some luggage with them, 
along with three laptop computers. 

36. The cruise ship is scheduled to return to Miami tomorrow morning, February 17, 

2016. 


THE STATUTES 


37. The conspiracy statute makes it a crime for: “two or more persons conspire either 
to commit any offense against the United States, or to defraud the United States, or any agency 


thereof in any manner or for any purpose, and one or more of such persons do any act to effect 
the object of the conspiracy.” 18 U.S.C. § 371. 

38. The computer fraud and abuse act makes it a crime to: “knowingly causes the 
transmission of a program, information, code, or command, and as a result of such conduct, 
intentionally cause[] damage without authorization, to a protected computer.” 18 U.S.C. § 
1030(a)(5)(A). 

39. The statute defines a “protected computer” to include one used in or affecting 
interstate or foreign commerce or communication 18 U.S.C.A. § 1030(e). The statute defines 
“damage” as “any impairment to the integrity or availability of data, a program, a system, or 
information.” 18 U.S.C. § 1030(e)(8). Here, the DDOS attacks impaired the availability of the 
victims’ computer systems by taking them off-line at times. The § 1030 violation becomes a 
felony if (among other things) it causes the potential modification or impairment of the medical 
examination, diagnosis, treatment, or care of one or more individuals. § 1030(c)(4)(B). 

CONCLUSION 

40. Based on the information described above, I have probable cause to believe that 
Martin Gottesfeld committed the crime of conspiracy, in violation of 18 U.S.C. § 371. 






